7/13/2011

Protecting KML Files from general public access in Google Maps

Google provides a way to include the geospatial data in KML (Keyhole Markup Language) format and show that data in the maps (Google maps and earth). For Google to display the KML files in maps applications, those files have to be publicly accessible to the Google server. From an Enterprise perspective, often times, there is a requirement to protect these KML files from unauthorized access. This may be an issue as Enterprises do not want to expose the KML files in the public domains without any authentication.

So, till the time Google comes up with a solution (not sure if it already has any solution), following are my views about the options that can be considered.

Allow access to KML files only from specific IPs or IP ranges. This means we need to get the IP range of the Google map servers and allow access to the KML files only from this IPs.

Instead of using Google APIs to parse the KML files, we can use the client side processing libraries or implement our own KML parsing libraries (client side or server side) and use Google Map APIs to plot the places. As KML files are XMLs in the end, any XML parsing technique can be used. Two of the client side libraries:

May be we can combine both options to display the KML overlays on top of Google Maps. From the view source of the KML OpenLayers example (http://openlayers.org/dev/examples/kml-layer.html), it does not look like the request is being sent to Google for KML parsing. So, all the authentication and authorization can be performed by server side scripts and this server side script will be the URL for the KML file.

Use of digital signatures to protect the KMLs. In this option, we can use the simple public/private key pair to include the digital signature as part of the KML URL and this signature will be verified before providing the access to the KML file. This way, all the unauthorized access to the KMLs can be protected, as we can make sure that the originator is same as our own server with establishing a unique signature for every KML URL. I will detail out this option in the next blog post.